Method and device of generating logic control units for railroad station-based vital computer apparatuses

ABSTRACT

A method of generating logic control units for railroad station-based vital computer apparatuses, i.e. in railroad station system control units comprising at least one vital computer which, on the basis of a control program operating in combination with a logic unit, sends state switching controls to yard elements and receives state feedback and/or diagnostic signals from the yard elements. The logic unit is generated automatically by a program, based on the surrounding conditions as defined by the station diagram and by a state table, the logic unit being a network of circuits with components operating according to Boolean logic functions and appropriate structure in compliance with the station diagram and with the state table. The logic control unit may be a program which includes algorithms composed of Boolean logic functions, which operate like networks of Boolean logic circuits. A step for checking the correctness of the automatically generated logic unit is provided, which includes a plurality of steps to check for structural differences.

The invention addresses a method of generating logic control units forrailroad Station-based Vital Computer Apparatuses, i.e. in railroadstation system control units comprising at least one vital computerwhich, on the basis of a control program operating in combination with alogic unit, sends state switching controls to so-called yard elements,i.e. devices that are designed to perform specific traincirculation-related operations, such as signaling devices and/orrailroad switches and/or track circuits, or the like, and receives statefeedback and/or diagnostic signals from said yard elements, said logicunit being generated automatically by a program, on the basis of thesurrounding conditions as defined by the station diagram, comprising thelist of yard elements and the location thereof with respect to tracks,and by a state table, wherein state assuming and/or state switchingrules are settled for said yard elements, with reference to state and/orto state switching of the other yard elements and/or to the propermanagement of railroad traffic, said logic unit being a network ofcircuits with components operating according to Boolean logic functionsand appropriately structured in compliance with the station diagram andwith the state table, or said logic control unit being a program whichincludes algorithms composed of Boolean logic functions, which operatelike networks of Boolean logic circuits.

A method and a system of this type is known from the Italian Patentapplication ITGE94A000061.

Station systems generally include a central unit which generatescontrols for different yard elements, such as signals and/or switchesand/or track circuits, or the like. In order to ensure that train cantransit safely, these yard elements shall assume different states, suchas a “track open” or a stop signal, or the switching of a railroadswitch according to a certain logic, which accounts for the states orstate switching of other yard elements which, when brought to or left incertain states, might cause collisions or dangerous situations, or evensimply not meet the regulations of admitted train circulationoperations.

Yard elements are generally provided with actuators which perform stateswitching operations and with control and/or monitoring and/ordiagnostic devices which send signals about the current state and thefunctionality thereof, so that the station-based stationary apparatus,i.e. the central control unit may have all railroad traffic settingsunder control at all time. Therefore, a predetermined state switchingcontrol transmitted to a particular element generates a chain of statemaintaining or switching controls to other yard elements according towell-defined rules. Hence, the central control unit not only has controloutput subunits to communicate with each of the different elements in adedicated manner, both for sending controls and for receiving feedback,but shall also operate under a strict logic, which incorporates yardelement state switching rules, in compliance with safety assuranceoperations. These networks may be, and actually have been, purely madeof hardware, i.e. of networks of circuits connected to a plurality ofhardware components designed to perform predetermined Booleanoperations. Typically, in railroad applications, the components designedto perform Boolean operations consisted of relay connection circuits orlogic integrated circuits specially designed and connected to generatecontrols outputs compatible with yard element state switching rules.

As computers were introduced in railroad applications, hardware logicunits were progressively replaced by control and monitoring programsincluding sets of Boolean equations, which describe the behaviors of theindividual hardware Boolean operators and form, when appropriatelyintegrated in a logic control program, a hardware-equivalent virtuallogic unit.

A central vital computer may include different standardized libraryprocedures, e.g. drivers for generating state switching controls,programs for managing diagnostic, control and monitoring functions whichincorporate control and monitoring structures and reproduce generalsafety regulated movement rules. However, these general managementprograms need to be specially customized based on the particularstructure of the station system, i.e. of its yard elements, and onrelated state switching rules, the so-called state tables. To this end,each central unit needs a logic control program for relating control andmonitoring operations to the surrounding conditions, as defined by thestation system structure. These control logics cannot be prefabricatedbut are application-dependent, i.e. depend on the specific stationsystem construction.

Control logics, composed of sets of Boolean equations, whose variablesare given by the states of the different elements and by the statecontrols and diagnostic data thereof, are known to be generated byautomatic systems, i.e. generation programs which generate the sets ofBoolean equations that form the algorithms of station-specific controland monitoring logic programs by using state tables or state switchingtables and the station system diagram as a knowledge or input base.

In prior art, the method provides the implementation of the controllogic so obtained in the vital computer of the logic control andmonitoring module, and a consequent functional check, by possiblyediting the logic program when errors or state incompatibilities betweenyard elements occur. This functional check typically includes fieldtests, i.e. is performed when the control and monitoring unit isinstalled in the specific station system.

The check mode is relatively complex and time-consuming. Further, whenthe logic unit is not a software product, but is composed of a set ofelectronic components designed to perform Boolean functions, theimplementation is even more difficult, because the circuit has to beconstructed before checking the operation thereof.

The invention has the object of improving a method as described above toreduce time requirements simplify checking operations, while maintaininga high operational safety of the logic unit, in compliance with yardelement state switching rules and with the station structure.

The invention achieves the above purposes by providing a method asdescribed hereinbefore, which includes the following steps:

-   -   parallel generation of two logic control units, according to the        same station diagram and the same state table, the two units        being generated by two generation programs which are as        different as possible from each other;    -   comparison between the networks of logic circuits or the        network-simulating logic programs provided the two different        generation programs to check for differences therebetween.

When no difference is found, the Boolean equations of the logic controland monitoring unit shall be deemed correct. When differences aredetected, changes and corrections shall be made.

These changes and corrections may even consist in checking that thestate tables and the station diagram are properly coded in a discernibleformat for generation programs.

The two logic generation programs are independent, and may differ bothin terms of programming languages and in terms of systematic variableanalysis and reading approach.

In very big station systems, a great number of variables is providedand, although the algorithm is only meant to perform simple operations,the number of yard elements and the logic connections between states mayrequire a hard processing task. Here, processing algorithms may be usedthat consist of so-called neural networks, whereto lists of yardelements and state tables governing state or state switching relationsbetween yard elements are provided as a knowledge base. Neural networkprovide the considerable advantage that they extend their knowledge useafter use, since the knowledge base and the interpretation thereofprogressively increases, and the computing modes are changed as a resultthereof. Moreover, neural networks use the knowledge base substantiallyregardless of the specific structure of the state table and the stationdiagram, and are generally able to recognize identical or similarsituations and to use them as an experience to handle new situationshaving analogies with knowledge base situations.

The logic control units generated by the two generation programsconsist, when provided in software form, of a set of equations whosegeneration was based on the state table and on station element relatedinformation.

Station element related information include the type of inputs andoutputs required by station elements, an ID code and a control program,i.e. a driver for turning the control generated by the logic unit into adiscernible control for the yard element and time tags.

It shall be noted that, like in prior art, the control logic isindependent from the specific driver type, and that it only needs toknow control input and/or control output variables.

This allows the method to be also used on existing control units whenthe station is to be extended. In this case, a new control logic isgenerated to account for variations, and no driver or other componentsmust be provided other than those existing in the memories of thecentral control unit, in specially dedicated sections, which areappropriately recalled or routed by the logic control unit, when therelevant element is to be handled.

In this case, the generation programs, as well as the state table andstation diagram input or reading modules may form a stable section inthe managing software of the central control unit, i.e. the VitalComputer Stationary Apparatus.

As a program for comparing the resulting logic units, i.e. the equationsof algorithms that define logic units, comparison software products maybe used, e.g. MKS Visual Difference for Win 32—Release 3.2b by MorticeKern Systems Inc. and/or Microsoft® WinDiff—Release 4.0 by MicrosoftCorp.

If a coincident result is obtained from the comparison between the logiccontrol units generated by the two different generation programs, i.e.if no difference is detected, the generated logic control unit is deemedto be correct.

If the two units do not coincide, the comparing program provides a listof differences that shall be analyzed to make corrections, whereupon thesteps of generating the logic control unit by the two differentgeneration programs and of comparing them, shall be repeated.

The advantage of this check mode is considerable, since it can beperformed without requiring the control logic to be actually implementedin the system, checking operations being performed directly and only onthe virtual data of the computer used for generating the logic controlunit. The generated logic control unit is not even required to be loadedin the central control unit, nor is it necessary to interface it withthe control programs and the drivers contained therein.

In accordance with another characteristic, the control logic generationprograms receive an input which not only includes yard elementstate-related variable data, but also monitoring signal state-relatedvariable data, which are provided by yard elements as an output to thecentral control unit.

Besides monitoring variable-related data, the generation programs of thecontrol logic also receives yard element diagnostic variable-relateddata.

According to an additional improvement, the comparison program and/orthe second generation program and/or both generation programs includeroutines for displaying the encountered errors, which are provided aserror messages.

Here again, correction routines may be provided, to be initiated by theuser at will or skipped, if the user decides to make organic andstructured corrections at the end of the generating and/or comparingprocedure.

In accordance with yet another improvement, since the two control logicgenerating programs must be at least slightly different, at least one ofthe two generation programs may include a starting routine for analyzinginput data, i.e. the state table and/or the state switching table and/orthe list of yard elements in the specific station system diagram.

Here, the above input data are checked for structural consistency bothas regards coding or structure thereof, and as regards the presence oferrors or logical contradictions, such as keys identifying non uniqueyard elements, prohibited or impossible combinations of yard elementswhich are required by the station system, etc. Therefore, in thispreliminary phase, perfect consistency is ensured for the input databasethat forms the knowledge base of logic control unit generating programs.

It shall be noted that the inventive method allows very easyintegrations in station systems wherein yard elements have to be addedin fact, since prefabricated driver units are provided for each yardelement, new yard elements may be simply added by updating the stationsystem diagram, i.e. the list of elements and the state tables, and bygenerating in parallel two logic control units, as well as by comparingthem to update the central control unit to the new station systemsituation.

The logic control unit generating programs are substantially unrelatedfrom yard element types, and do not require knowledge of the individualyard element drivers, nor of monitoring and diagnostic systems, but onlyneed the indication of the number and type of the control data to beprovided to the yard element and the monitoring and diagnostic data tobe transmitted by the yard element or the driver units thereof. Thecompliance of these control and monitoring or diagnostic variables withthe yard element is ensured by the specific driver which turns thecontrol and monitoring and diagnostic variables into the structurerequired by the yard element hardware—as regards control variables—andinto the structure required by the central control unit—as regardsmonitoring and diagnostic variables.

The invention also addresses an operating Railroad Vital Station ControlApparatus (so-called ASCV), which is designed to form the centralcontrol unit for a plurality of yard elements of a station system, whichRailroad Station-based Vital Computer Apparatus includes inputs formonitoring and diagnostic signals generated by yard elements, outputsfor yard element state switching control signals, a control programwhich has a driver for each different type of yard element, i.e. aprogram for controlling and interfacing the control variables generatedby the station apparatus and transmitted to the yard elements and/ormonitoring and/or general diagnostic variables generated by yardelements and transmitted to the station apparatus, a station systemdiagram, i.e. a knowledge base containing a list of the station systemyard elements and the relations therebetween, a database of stateassuming or state switching rules admitted for the different yardelements according to safe railroad traffic management requirements, theso-called state table, a logic control unit which includes algorithmsconsisting of Boolean equations and/or logic functions for propercontrol transmission and concatenation of yard element control sequencesaccording to the station system diagram and to the state table.

In accordance with the invention, the Station-based Vital ComputerApparatus further includes a program for automated and redundantgeneration of the algorithms which form the logic control unit, whichuses redundancy to perform a software check of said algorithms of thelogic control unit.

This program forms a routine that the user can recall whenever thestation system diagram is changed, i.e. when yard elements are added orremoved and/or station traffic management rules, i.e. the state table,are changed.

Redundancy is generated by using two different programs for generatingthe Boolean algorithms that form the logic control unit, which programsprovide two logic control units, whose algorithms, i.e. Booleanequations, are compared, and are deemed to be correct when no differencebetween the generation algorithms result from the comparison.

The correctness of logic control unit algorithms is totally ensured byproviding two generation programs which are different to a certainextent, their difference level being provided by using two differentprogramming languages for the generation programs and/or by having thetwo generation programs developed by two different developing teamsand/or by using different structures of input data, i.e. of stationsystem diagram and/or state table data, which are neverthelessconsistent with station system diagram and state table restrictions, thelatter being the same for both generation programs.

Improvements of the invention will form the subject of the dependentclaims.

The advantages of the invention will appear more clearly from thefollowing description of a non-limiting embodiment which is described onthe basis of the annexed figures, in which:

FIG. 1 is a flow chart of the inventive method.

FIG. 2 is a block diagram of a station system, having a Vital ComputerApparatus according to this invention.

Referring to FIG. 1, the method of the invention provides the automatedand redundant generation of the station system controlling andmonitoring logic, i.e. a central unit for controlling and supervisingthe different elements, such as lights, railroad switches, trackcircuits, or the like, located in a particular station. The centralcontrol and monitoring unit, which is named Station-based Vital ComputerStationary Apparatus generally includes two logic control and monitoringlevels. The general procedure-oriented control, monitoring and possiblydiagnostic logics consist of procedure-oriented programs which areindependent from specific station systems and from the structurethereof, as well as from the number and types of elements and/or of theparticular railroad traffic requirements. Typically, these programs uselogic structures that transmit Boolean output data and receive Booleaninput data, having true/false meanings.

These universal procedure-oriented programs cannot operate properly inall systems, and require processing of logic data, particularly controlsand feedbacks, as well as diagnostic data, which are structured incompliance with the specific configurations of the railroad stationsystem. Further, any specific station system must accomplish specificrailroad traffic management operations, which are to be performedaccording to predetermined safe management rules. These rules requirethe concatenation of state assuming controls to and proper performancefeedbacks from the different elements in accordance with predetermineddiagrams which do not only depend on the specific system, but also onstate control and switching standards, and on movement execution rules,which vary on a per-case basis and depending on railroad trafficmanagement organizations.

With reference to the above and to FIG. 1, the invention relates to amethod for automated generation of said station system-specific controland monitoring logics, which includes a first step for processingstation system diagram data and element control management and/or stateswitching rules, in a discernible form, from a program for generatingsaid control and monitoring and/or diagnostic logic. Therefore, twodatabases are generated, one for system configuration and the other forelement state assuming and/or switching rules which accounts forrelations or concatenations of controls with other elements that arepossibly involved by the control of a first element.

The station system construction configuration database and the statetable database (state assuming or state switching rules for thedifferent elements) form the so-called knowledge base for an algorithmfor generating the control and monitoring and/or diagnostic logic forthe specific railroad system.

Then, the data are transmitted as a knowledge database to a program foranalyzing and generating control and monitoring Boolean equations, whichequations substantially constitute the algorithms that form the controland monitoring program. Parallel thereto, the same knowledge base datarelating to the station system and to the state table is transmitted toa second analysis and processing program which generates a second set ofBoolean equations, to form a second logic control and monitoring programrelating to the same station and based on the same management rules asthe first program.

Then, the two sets of Boolean equations are compared by comparisonalgorithms. The comparison result determines if the Boolean equationswhich form the core of the station-specific control and monitoring logicprogram have been generated correctly or if generation errors occurred.

When the two sets of Boolean equations are found to be identical, theyare deemed to be correct, and the control and monitoring logic programis deemed to be safety-certified. When differences are detected, thecomparison program transmits difference reporting messages, which mayalso include error message notes or specific indications on the detecteddifferences and on the errors which may possibly or probably have causedthe differences.

In the latter case, a correction action is needed, whereupon thegeneration process must be repeated.

The redundant generation and comparison step safely replaces prior artchecking steps, which are carried out when the control and monitoringlogic program is loaded in the central control unit and when functionalfield checks are carried out directory in the station system, therebyimplying cost and duration drawbacks.

The checking step based on redundant generation and comparison ofredundant sets of Boolean equations is performed either in the samecomputer as the generation computer or in a dedicated computer, and isrelatively fast. Parallel generation may be performed temporarily inparallel either in the same computer or in separate computers.

The differences between the programs for generating sets of Booleanequations may be set at different levels. This may be obtained by usingdifferent programming languages or by having said generation programsdeveloped by different teams of developers. For instance, when neuralnetworks are used, a huge number of networks exist, provided bydifferent developers, which analyze knowledge bases according todifferent rules, and generally providing identical results, although atslightly different times.

Obviously, redundant generation may not only be limited to oneadditional generation process and, when more than two generationprograms are available, Boolean equations may be redundantly generatedin two, three or more sets, whereby said equations, hence the stationsystem-specific control and monitoring logic program can be checked witha higher safety level, with no considerable increase of costs orprocessing times.

According to an improvement, a preliminary step may be provided in whichthe input database containing the station system diagram and the statetable is generated and a check is performed on the translation of thestation diagram and the program-specific correction table into the inputformat, so as to filter out wrong equations produced by wrongly codedstation system information and of state table into the knowledge baselanguage for generation programs. In this case, the preliminary step forstation-specific generation of the control and monitoring logic programincludes the steps for checking the knowledge base, both as regards thestructure thereof and as regards the consistency of the data coded inthe knowledge base with the system diagram and with the state table.

In a particular example, the above steps are performed as follows:

The knowledge base is constructed by reading the definitions and thedata contained in the various input files of a “Diagrams directory” andof a “Station directory”. These definitions and data correspond to thestation diagram expressed in a coded language and to the state tabledatabase respectively. After being read, the data and definitions areadded to the knowledge base, which is used to properly perform the twosuccessive operations.

The two generation programs require the following typical input diagramfiles configurazione.pl componenti.pl subnet.pl agenda.pl

These files must be allocated in one directory, hereafter the “Diagramsdirectory” which may be accessed by the two generation programs.Moreover, this directory shall contain a file (ending in, a “.pl”extension) for each functional phase being referenced in the file‘agenda.pl’. These functional steps are those defined at the stationsystem diagram level.

The two generation programs require the following input files, whichrelate to the database obtained from the state table of each station:db_tabella.pl db2_tabella.pl

These files must be allocated in one directory, hereafter the “Stationdirectory” which may be accessed by the generation programs. Thisdirectory may be obviously different from the above defined “Diagramsdirectory”.

Upon processing, the generation programs generate the following reportfiles, which are allocated in the ‘Diagrams directory’ and in the‘Station directory’ respectively of their generation program.ades2++_schemistica.log ades2++_stazione.log ades2_schemistica.logades2_stazione.log

In this case, the two generation programs are named ades2 and ades2++respectively.

Regarding the programs ades2++ or ades2 or both, the above files containtext messages which relate to the various execution steps of theapplication, including any error messages generated by an impropersyntax of input files or by errors during the generation ofstation-specific Boolean equations.

Therefore, the following Boolean equations are generated, for eachspecific station, in the following file, which is contained in the‘Station directory’. ades2++_equazioni.dat ades2equazioni.dat

The format wherewith the generation program ades2++ writes Booleanequations is also used by ades2. Equivalent text lines will be added atthe start or at the end of the file, and appropriate commentary lineswill be inserted to delimit the equations produced for each functionalstep. If equations are generated more than once, the last two generatedBoolean equations are saved in the ‘Station directory’, after beingsuitably renamed as ades2++_equazioni.bak ades2_equazioni.bak

Starting from knowledge base data (provided the latter is correctlygenerated), a station logic is generated for each functional step asdefined in the file “agenda.pl”. This logic is generated as all orderedset of logic circuits, each circuit being constructed by applying therelevant definitions of the principle diagram to station-specific data.Each circuit contains a network of components and a list of one or moreterminal components.

The program for redundant generation of Boolean equations ades2++converts the circuits generated during the previous step into Booleanequations. Each circuit is converted into one or more equations, thenumber of generated equations being also determined by certainconfiguration restrictions imposed by the central control unit, i.e. theso-called Station-based Vital Computer Apparatus.

Each equation is composed of a list of resulting Boolean variables andof an expression composed of operations on terms which include Booleanvariables. Each of these variables represents in turn a (terminal ornon-terminal) component of a circuit, or a ‘virtual’ component which isused to connect two equations constructed from the same circuit. Thegeneration program writes each equation, in the appropriate order, inthe file named ‘ades2++_equazioni.dat’, which is contained in the‘Station directory’ associated to the selected station. In this file,equations are generated exactly in the same order as the one they havein the equivalent file, which is generated by the first generationprogram ades2.

A user interface example will be now described, specifically referringto the generation by the second generation program ades2++. Here adescription will be provided of the step in which the knowledge base isloaded and the correctness and consistency check is performed, withfurther reference to the generation step involving the first generationprogram ades2 in the previous example.

When the application ADES2++ is launched in Windows, the followinggeneral information message will be displayed.

The computer screen will display an application window, containing allcontrols and buttons as shown in the underlying window. It shall benoted that the application release is mentioned in the window title. Asusual, the window may be moved, minimized, maximized and closed, byusing Windows typical buttons and features. It shall be further notedthat the window shows the Diagrams directory and Station directory fileswhich were used by the first program for generating the control andmonitoring logic program, named ades2.

The window contains all controls that may be used to select theappropriate Diagrams and Station directories. Particularly, the windowcontains three buttons, each being used to select one of the previouslydescribed modes. Two additional buttons are also provided, which allowto consult diagram and station report files respectively. The states barat the bottom of the window is used by the application to displaycertain status information. Buttons are always enabled, except when oneof the main functions is running. This allows the user to use theapplication more than once, on the same dataset or on other datasets.The user may quit the application anytime, by closing the applicationwindow. In this case, the user will be asked to confirm exit, by usingthe following dialog.

In order to use the above features, the user shall fill the appropriatecontrols with the full name of the directories containing the inputfiles relating to the diagrams and to the relevant station.

By left clicking the button ‘Carica Dati di Stazione’, the user maygenerate the knowledge base from diagram data and specific station data.If a knowledge base for the relevant station and diagrams has alreadybeen generated, the following warning message will be displayed, to askthe user to expressly confirm the new creation.

The knowledge base generation feature tries to sequentially read theindicated input files. If a file reading error occurs, a message likethe one shown below is displayed and the knowledge base generation isterminated.

If one of the requested files is not found in the specified directories,a message like the one shown below is displayed and the knowledge basegeneration is terminated.

Moreover, if the specified files contain syntax errors, the knowledgebase generation will terminate as soon as the first error isencountered, whereupon a message is displayed indicating the file nameand line number whereat the error occurred (as shown below).

However, if the specified files contain no syntax errors, the knowledgebase generation will continue until all input files have been read. Anyother error detected in the definition of the principle diagram,expressed in input format, will be included in the report file generatedin the ‘Diagrams directory’. Each inconsistent definition in theprinciple diagram will not be inserted in the knowledge base. However,incomplete definitions of the principle diagram, such as design rulesassociated to non-existent components, will be loaded anyway.

When errors occur, a relevant message will be displayed at the end ofthe generation process, as shown below.

By left clicking the button ‘Generate Station Logic’, ADES2++ willexecute the Station Logic generation function, from the previouslygenerated knowledge base. (If the database is incomplete, the generatedlogic is also incomplete.)

If the diagram and station logic has already been generated, beforegenerating it anew, the user will be asked for a confirmation, by thefollowing message.

While logic generation is running, appropriate messages will appear inthe status bar, to indicate the functional step wherefore the system isgenerating the logic, and the number of generated circuits (for thatstep), as well as the total number of circuits generated until thatmoment.

The total number of generated circuits (for all steps) will be displayedin the status bar when the process is completed. It shall be noted thatthe number of generated circuits may be smaller than the number ofequations which will be generated thereafter during the storage step.

During the logic generation step, depending on currently loaded data,one single component may be allocated as a terminal component to morethan one logic circuit. Each occurrence of such event will be identifiedas an error, and as such it will be indicated in the report filegenerated in the ‘Station directory’. Even when the name of a componentexceeds the maximum admitted length, a message will be displayed. If oneor more errors have been detected at the end of the logic generationstep, an appropriate warning message will appear on the screen, as shownbelow.

By left clicking the button ‘store station equations’, the generatedlogic circuits are converted into Boolean equations. (When no logicgeneration occurs an empty file, i.e. containing no equation, will begenerated).

When an equation file has been previously generated for the samestation, a backup copy thereof will be created before the new generationof equations starts.

It may happen that, while results are generated from a certain equation,the application tries to use a component which has been previouslydefined as ‘state’, but is not being used as a non-terminal component inany circuit. This event will be notified by the application. If no otherterminal components are allocated to that circuit, no Boolean equationwill be generated therefrom. In this case, the application will displaya warning message at the end of the generation process, as shown below.

As usual, these events will be also reported in the report file createdin the ‘Station directory’.

By left clicking one of the two buttons ‘Open Scheme report’ or ‘OpenStation Report’, the user may recall the generated report files relatingto the principle diagram expressed in input format or to station data.In other words, by clicking on one of these two buttons, the user mayopen a text window which reports the current content of the two files.

The user may open more report windows for the same file.

With reference to the above example, differences may result between thetwo generation programs in the input data consistency check proceduresand in error messages during logic generation.

An equation file generated by ades2++ for a certain diagram and acertain station is directly comparable with the equation file generatedby ades2 from the same files. Therefore, commercial comparison tools maybe used to compare the two files.

Particularly, the number and order of equations, and the results of eachequation in one file must be identical to those of the other file. Theequation expressions of one file shall be also equivalent to those ofthe other file, i.e. each term and operation contained in the expressionof an equation in a file shall also appear in the expression of theassociated equation in the other file. The order of terms in any productor sum expression of an expression in a file may be different from theone of the associated expression in the other file. This is due to thefact that the algorithms which are used to construct the expressions areintentionally different in the two applications and, even though theyboth have to meet the strict station logic generation requirements (i.e.they have to be complete and expressed in correct order), there will becases in which different requirements will involve differences in theorder of expressions. Anyway, these cases will be very rare in practice.

Regarding comparison programs, this method has the advantage thatcommercial programs may be used, such as: MKS Visual Difference forWin32—Rel. 3.2b Mortice Kern Systems Inc and/or Microsoft® WinDiff—Rel.4.0 Microsoft Corp.

FIG. 2 shows a Vital Computer Stationary Apparatus, i.e. a centralcontrol and monitoring unit, according to the present invention, whichalso integrates the means for redundant generation of stationsystem-specific control and monitoring logic programs.

Numeral 1 denotes a station having a plurality of different stationelements 101 from 1 to N, such as signal lights, railroad switches,track circuits, and others.

Each element 101 is controlled by a driver which may consist of orinclude hardware or software, and is element-specific and always thesame for each specific element. The drivers 2 have input interfaces forcontrols and output interfaces for feedback and diagnostic signals.These inputs and outputs are connected with appropriate inputs andoutputs of a central control unit 3 which is named Vital ComputerStationary Apparatus.

This central unit 3 includes management programs, for controlling andmonitoring the elements 101 as well as diagnostic programs, and alsoconstitutes the interface between the personnel and the system.

From a functional point of view, the central unit may be divided intotwo main areas. One of them, indicated with numeral 103 in FIG. 2, isdesigned to execute diagnostic, element monitoring and element controlprocedures, and is composed of universally applicable procedure-orientedprograms.

The other area, indicated with numeral 203 in FIG. 2, constitutes thereal control and monitoring logic and consists of a control andmonitoring logic program. This program may also possibly managediagnostic functions, even though a special section is generallyprovided for diagnostics.

The two areas 103, 203, which are systematically separated, mustcoexist, otherwise the system cannot work. The general diagnostic,control and monitoring management programs shall be integrated or anywayinterfaced with the control and monitoring logic. The latter is strictlydependent from and incorporates all peculiarities and specificities ofthe station system and of railroad traffic management rules that areapplicable therein. Hence, the station logic shall be generated in sucha manner as to be dedicated and specific to each station whereto thecentral unit 3 is associated. According to the invention, the VitalComputer Stationary Apparatus, i.e. the control and monitoring unit 3includes means for automated generation of the control and monitoringlogic program which are stably integrated, as section 303 in the systemor software of said control unit 3.

Particularly, these means consist of means for inputting the stationdiagram 4 and the state switching rules 5 for the various elements forrailroad traffic management in said station, and means for generating aknowledge base from said information, which is to be used by a programfor generating said control and monitoring logic program. In theillustrated embodiment, said means consist of hardware means, i.e. adedicated computer or by the computer which also controls the centralcontrol and monitoring unit 3, and of the software loaded therein.

Particularly, said software is designed in such a manner as to ensure aredundant generation 7, 8 of control and monitoring logic programs andas to subsequently execute a check in the generation section 303 and/orthe central control and monitoring unit 3, on the generated logicprograms, on the basis of an identity comparison 6 between the multiple,particularly two logic programs 7, 8 generated in parallel. Parallelgeneration is performed according to two different generation programswhich retrieve data from the same knowledge base 4, 5 and provide theBoolean equations designed to form the core of the algorithms of controland monitoring logic programs. If the comparison results in the identitybetween the two sets of Boolean equations provided by the two differentgeneration programs 7, 8, or having a certain difference degree, thensaid set of Boolean equations is deemed to be correct and is used togenerate the control and monitoring logic program in its full form,which obviously requires sections of adaptation to the structuralrestrictions imposed by the construction of the central control andmonitoring unit 3.

It shall be noted that the redundant generation of the control andmonitoring logic 203 is not limited to two parallel generationprocedures, and that three or more parallel generation procedures may bealso provided.

By permanently adding the section 303 for generating the control andmonitoring logic to the central control and monitoring unit 3, thecentral control and monitoring unit 3 may be easily modified andintegrated, whenever changes are made to the railroad station system,e.g. elements are added or removed. Here, the section 303 for generatingthe control and monitoring logic would be only used to make a change tothe previously used control and monitoring logic to account for systemchanges. Changes may be not only required by the addition or removal ofelements to be controlled, but also by changes to element control andmonitoring rules, which are summarized in the so-called state tables. Inthis case, the control and monitoring logic also needs to be changed.

The advantages of redundant generation and correctness check bycomparison between the programs, i.e. the generated sets of Booleanequations, are particularly apparent when changes are made to thesystem. Here, while in prior art the modified logic should be typicallyfield checked, thanks to the method of the invention, everything isprocessed by the computer of the central unit or by a computer-basedsecondary station. This drastically reduces system update times, as wellas costs.

While the invention has been described with particular reference tosoftware-based control logics, it shall be noted that it is alsoapplicable when control logics are to be implemented in dedicatedhardware. In this case, for example networks of logic components in theform or relays or semiconductor components would replace the control andmonitoring logic software, circuit diagrams being directly andautomatically generated by generation programs.

Also, the above description clearly shows that the step of generating asoftware control and monitoring logic directly derives from the step ofgenerating virtual logic circuits, further translated by the generationprogram into a software form, whose core is formed by sets of Booleanequations.

Obviously, the invention is not limited to the above description andfigures, but may be greatly varied without departure from the inventive,teaching disclosed above and claimed below.

1. A method of generating logic control units for railroad Station-basedVital Computer Apparatuses, i.e. for railroad station system controlunits comprising at least one vital computer which, on the basis of acontrol program operating in combination with a logic unit, sends stateswitching controls to so-called yard elements, i.e. devices that aredesigned to perform specific train circulation-related operations, suchas signaling devices and/or railroad switches and/or track circuits, orthe like, and receives state feedback and/or diagnostic signals fromsaid yard elements, said logic unit being generated automatically by aprogram, on the basis of the surrounding conditions as defined by thestation diagram, comprising the list of yard elements, and by a statetable, wherein state assuming and/or state switching rules are settledfor said yard elements, with reference to state and/or to stateswitching of the other yard elements and/or to the proper management ofrailroad traffic, said logic unit being a network of circuits withcomponents operating according to Boolean logic functions andappropriately structured in compliance with the station diagram and withthe state table, or said logic control unit being a program whichincludes algorithms composed of Boolean logic functions, which operatelike networks of Boolean logic circuits, wherein it includes a step forchecking the correctness of the automatically generated logic unit,which check step includes the following steps: parallel generation oftwo logic control units, according to the same station diagram and thesame state table, each unit being generated by one of the two generationprograms which are as different as possible from each other; comparisonbetween the networks of logic circuits or the network-simulating logicprograms provided the two different generation programs to check forstructural differences therebetween.
 2. A method as claimed in claim 1,wherein, when an identity is achieved, the correctness of the networksof logic circuits or of the generated logic program is deemed to bechecked.
 3. A method as claimed in claim 1 wherein, when the two logicprograms are found to be non-identical, an error checking steps isperformed, and the steps of parallel generation of the networks of logiccircuits and/or network simulating virtual logic programs are repeated.4. A method as claimed in claim 1, wherein the difference between thetwo generation programs relates to their languages or to the programmingenvironments wherein they were written.
 5. A method as claimed in claim1, wherein the two different generation programs use differentgeneration algorithms.
 6. A method as claimed in claim 1, wherein thetwo different generation programs are two different neural networks. 7.A method as claimed in claim 1, wherein it includes a step for preparinga knowledge base containing station diagram related data and state tablerelated data which are coded in such a manner as to be discernible byboth generation programs.
 8. A method as claimed in claim 7, wherein oneor both generation programs include a pre-generation step, in which theknowledge base data is checked for consistency and correctness of bothdata structure and meaning.
 9. A method as claimed in claim 1, whereinit includes a program for comparing the logic programs and/or thenetworks of logic circuits generated by the two generation programs,which comparison program is separated from the generation programs. 10.A method as claimed in claim 1, wherein the two generation programsgenerate the logic programs with the following procedure: Generation ofnetworks of logic circuits which use logic hardware components;Conversion of the networks of logic circuits so generated into logicalgorithms composed of sets of Boolean equations whose behaviorcorrespondence to that of said networks of logic circuits.
 11. A methodas claim in claim 1, wherein it is used when logic circuits and/or logicprograms are to be changed to be adapted to changes of the stationsystem diagram and/or of the state table.
 12. A Vital ComputerStationary Apparatus including a computer wherein a program is loaded tocontrol and monitor yard elements of a station system, which operateaccording to different rules, wherein the control program includes asection of general procedure-oriented programs, that are applicable bothto the station system structure and to the state table, which program isinterfaced and integrated with a control and monitoring logic program,which incorporates the station system structure and the state table, andis automatically generated and checked by a section of the VitalComputer Stationary Apparatus, that may be recalled at will with amethod as claimed in claim
 1. 13. A Vital Computer Stationary Apparatusas claimed in claim 12, wherein the section for generating the controland monitoring logic program constitutes a section for changing and/orupdating said control and monitoring logic program.
 14. A Station-basedVital Computer Apparatus as claimed in claim 12, wherein the section forgenerating the control and monitoring logic program comprises at leasttwo different generation programs, for generating comparable control andmonitoring logic programs which are loaded, after a successful identitycheck, in the memory of the Vital Computer Stationary Apparatus and areinterfaces with the section of general procedure-oriented programs.